Pegasus spyware surveillance: The devil lies in what we don’t know

The existing state of surveillance in India is alarming. Not only do the prevalent and proposed legal regimes fail to safeguard our right to privacy, but we do not even know the extent of surveillance conducted by the Government of India.

We usually find out how secure (or unsecure) our lives are, not from the government. but from organisations and individuals committed to increasing transparency around these issues. This time around, an international collaborative investigation titled “Pegasus Project”, has accessed a leaked database of phone numbers, supposedly provided by government clients of an Israeli spyware firm called NSO.

The investigation revealed that these numbers may have been targeted using Pegasus, a military grade spyware. The Wire has reported that the database contains “over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others”. Shockingly, it is also reported that “among the numbers in the Pegasus Project database is one that was registered in the name of a sitting Supreme Court judge.”

Amnesty International conducted a forensic analysis of a small cross-section of phones associated with these numbers and found that 37 phones of which 10 belong to Indians, were definitely targeted by the Pegasus spyware. Once Pegasus is installed on a phone, it can record conversations, harvest GPS data, monitor WhatsApp conversations, access photos and videos and even activate the microphone and camera.

What is even more concerning is that NSO, according to its Transparency and Responsibility Report 2021, designs and sells its products for the “sole use of thoroughly vetted and approved governmental agencies”. The Pegasus Project addressed a questionnaire to the Government of India asking it of its use of the Pegasus spyware. According to ANI, the government has replied that “there has been no unauthorised interception of government agencies.

This is deeply concerning - the government has not categorically denied conducting surveillance using the Pegasus spyware. Notably, Section 69 of the Information Technology Act, 2000 (IT Act) authorises the government to conduct surveillance. The draconian provision permits the government to intercept, monitor or decrypt information without any judicial oversight. However, the provision does not permit the government to install spyware or hack a mobile device. In fact, Section 66 read with Section 43 of IT Act, 2000 explicitly criminalises hacking of a mobile device.

Moreover, the constitutional standard established in KS Puttaswamy v. Union of India requires that any instance of surveillance must be legitimate, proportionate and necessary. Surveillance conducted using the Pegasus spyware, which is extremely intrusive, does not conform to any of those requirements, especially since “less intrusive” alternatives are available to the government.

There are also concerns surrounding the clandestine nature of government mandated surveillance. In the absence of adequate information on the surveillance conducted currently, the victims are often denied constitutional remedies available to them under Articles 32 and 226 of the Constitution. There is little transparency pertaining to government orders under Section 69. Even in response to the Right to Information applications filed by the Internet Freedom Foundation, which amongst other things, merely sought the total number of Section 69 orders issued, the government refused to provide that information citing national security concerns.

Clearly, the government is abjectly hesitant in addressing its surveillance practices. Currently, there are two private member bills tabled in Parliament delineating specific frameworks related to surveillance reforms. However, the government’s ‘Draft Personal Data Protection Bill’ (PDPB) does not refer to surveillance reforms at all. Instead, the government has carved out a notification that empowers the government to exempt any of its agencies from the purview of the draft PDPB. The Justice Srikrishna Committee also deemed surveillance reforms outside the ambit of data protection.

While the Supreme Court in Puttaswamy has held that Indians have a fundamental right to privacy, we do not know how private our lives are from the Government of India. The fundamental freedoms of citizens cannot be advanced until they are made aware of the extent to which they may potentially be infringed. The right to privacy, then, goes hand-in-hand with the right free access to information, and the right to governmental transparency. To achieve these ends, there must be an independent probe into the government’s practices of surveillance including their use of the Pegasus spyware.

Yashaswini Basu is a Privacy and Right to Information Fellow at the Internet Freedom Foundation.

Krishnesh Bapat is an advocate and a Centre for Communication Governance Digital Rights Fellow at the Internet Freedom Foundation.

Disclaimer: The views and opinions expressed in this article are those of the authors' and do not necessarily reflect the views of Bar & Bench.